CVE-2025-55213
OpenFGA Authorization Bypass (Check)
In short
OpenFGA versions 1.9.3 to 1.9.4 have a flaw where permission checks don't work correctly in certain situations, potentially allowing users to access resources they shouldn't be able to reach.
Technical detail
OpenFGA v1.9.3-1.9.4 fails to properly enforce authorization policies during specific Check and ListObject API calls due to improper access control logic (CWE-863). An attacker can bypass intended permission restrictions by exploiting these endpoints to gain unauthorized access to protected resources.
Summary generated and translated by AI from the official description.
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Affected products
openfga · openfgaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →